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Abstract. We propose an univesal scheme to design loop-free and super- 
stabilizing protocols for constructing spanning trees optimizing any tree 
metrics (not only those that are isomorphic to a shortest path tree). 
Our scheme combines a novel super-stabilizing loop-free BFS with an 
existing self-stabilizing spanning tree that optimizes a given metric. The 
composition result preserves the best properties of both worlds: super- 
stabilization, loop-freedom, and optimization of the original metric with- 
out any stabilization time penalty. As case study we apply our composi- 
tion mechanism to two well known metric-dependent spanning trees: the 
maximum-flow tree and the minimum degree spanning tree. 



1 Introduction 

New distributed emergent networks such as P2P or sensor networks face high 
churn (nodes and links creation or destruction) and various privacy and security 
attacks that are not easily encapsulated in the existing distributed models. One of 
the most versatile techniques to ensure forward recovery of distributed systems 
is that of self- stabilization [1-3]. A distributed algorithm is self-stabilizing if 
after faults and attacks hit the system and place it in some arbitrary global 
state, the system recovers from this catastrophic situation without external {e.g. 
human) intervention in finite time. A recent trend in self-stabilizing research 
is to complement the self-stabilizing abilities of a distributed algorithm with 
some additional safety properties that are guaranteed when the permanent and 
intermittent failures that hit the system satisfy some conditions. In addition to 
being self-stabilizing, a protocol could thus also tolerate crash faults [4,5], nap 
faults [6,7], Byzantine faults [8-11], a limited number of topology changes [12- 
14] and sustained edge cost changes [15, 16]. 

The last two properties are especially relevant when building optimized span- 
ning trees in dynamic networks, since the cost of a particular edge and the net- 
work topology are likely to evolve through time. If a spanning tree protocol is 
only self-stabilizing, it may adjust to the new costs or network topology in such 



a way that a previously constructed spanning tree evolves into a disconnected 
or a looping structure (of course, in the absence of network modifications, the 
self-stabilization property guarantees that eventually a new spanning tree is con- 
structed). Now, a packet routing algorithm is loop free [17, 18] if at any point in 
time the routing tables are free of loops, despite possible modification of the edge- 
weights in the graph {i.e., for any two nodes u and v, the actual routing tables 
determines a simple path from u to v, at any time). The loop-free property [15, 
16] in self-stabilization guarantees that, a spanning tree being constructed (not 
necessarily a "minimal" spanning tree for some metric), then the self-stabilizing 
convergence to a "minimal" spanning tree maintains a spanning tree at all times 
(obviously, this spanning tree; is not "minimal" at all times). The consequence of 
this safety property in addition to that of self-stabilization is that the spanning 
tree structure can still be used {e.g. for routing) while the protocol is adjusting, 
and makes it suitable for networks that undergo such very frequent dynamic 
changes. In order to deal with the network churn, super-stabilization captures 
the quality of services a tree stucture can offer during and after a localized topo- 
logical change. Super-stabilization [19] is an extension of self-stabilization for 
dynamic settings. The idea is to provide some minimal guarantees (a passage 
predicate) while the system repairs after a topology change. In the case of op- 
timized spanning trees algorithms while converging to a correct configuration 
{i.e. an optimized tree) after some topological change, the system keeps offering 
the tree service during the stabilization time to all members that have not been 
affected by this modification. 

Related works Relatively few works investigate merging self-stabilization and 
loop free routing, with the notable exception of [15,16,20]. In [15], Cobb and 
Gouda propose a self-stabilizing algorithm which constructs spanning trees with 
loop-free property. This algorithm allows to optimize general tree metrics from 
a considered root, such as bandwidth, delay, distance, etc ... To this end, each 
node maintains a value which reflects its cost from the root for the optimized 
metric, for example the maximum amount of bandwith on its path to reach the 
root. The basic idea is to allows a node to select a neighbor as its parent if this 
one offers a better cost. To avoid loop creation, when the cost of its parent or 
the edge-cost to its parent changed a propagation of information is started to 
propagate the new value. A node can safely change its parent if its propagation 
of information is ended. Thus, a node can not select one of its descendant as its 
parent. This algorithm requires a upper bound on the network diameter known 
to every participant to detect the presence of a cycle and to reset the states of 
the nodes. Each node maintains its distance from the root and a cycle is detected 
when the distance of a node is higher than the diameter upper bound. 

Johncn and Tixeuil [16] propose another loop-free self-stabilizing algorithm 
constructing spanning trees, which makes no assumption on the network. This 
algorithm follows the same approach used in [15], that is using propagation 
of information in the tree. As in [15], this second algorithm constructs trees 
optimizing several metrics from a root, e.g., depth first search tree, breadth 
first search tree, shortest path tree, etc. Since no upper bound on the network 



diameter is used, when a cycle is present in the initial network state the protocol 
continues the initiate propagation of information to grow the value of the nodes 
in the cycle. The values of these nodes grow until the value of a node reaches a 
threshold which is the value of a node out of the cycle. Thus, the node reaching 
this threshold discover a neighbor which offers a better value and can select it to 
break the cycle. When no cycle is present in the network, the system converges 
to a correct state. 

Also, both protocols use only a reasonable; amount of memory (0(log n) bits 
per node) and consider networks with static topology and dynamic edge costs. 
However, the metrics that are considered in [15,16] are derivative of the short- 
est path (distance graph) metric, that is considered a much easier task in a 
distributed setting than that of tree metrics not based on distances, e.g., min- 
imum spanning tree, minimum degree spanning tree, maximum leaf spanning 
tree, etc. Indeed, the associated metric is locally optimizable [21], allowing es- 
sentially locally greedy approaches to perform well. By contrast, some sort of 
global optimization is needed for tree metrics not based on distances, which often 
drives higher complexity costs and thus less flexibility in dynamic networks. 

Recently, [20] proposed a loop-free self-stabilizing algorithm to solve the 
minimum spanning tree problem for networks, assuming a static topology but 
dynamic edge costs. None of the previously mentioned works can cope with 
both dynamic edge changes (loop-freedom) and dynamic local topology changes 
(super-stabilization). Also, previous works are generic only for local tree metrics, 
while global tree metrics require ad hoc solutions. 

Our contributions We propose a distributed generic scheme to transform exist- 
ing self-stabilizing protocols that construct spanning tree optimizing an arbi- 
trary tree metric (local or global), adding loop- free and super-stabilizing prop- 
erties to the input protocol. Contrary to existing generic protocols [15,16], our 
approach provides the loop-free property for any tree metric (global or local, 
rather than only local). Our technique also adds super-stabilization, which the 
previous works do not guarantee. Our scheme consists in composing a distributed 
self-stabilizing spanning tree algorithm (established and proved to be correct for 
a given metric) with a novel BFS construction protocol that is both loop-free 
and super-stabilizing. The output of our scheme is a loop-free super-stabilizing 
spanning tree optimizing the tree metric of the input protocol. Moreover, we 
provide complexity analysis for the BFS construction in both static and dy- 
namic settings. We examplify our scheme with two case study: the maximum 
flow tree and the minimum degree spanning tree. In both cases, the existing self- 
stabilizing algorithms can be enhanced via our method with both loop-free and 
super-stabilizing properties. Interestingly enough, the stabilization time com- 
plexity of the original protocols is not worsen by the transformation. 

2 Model and notations 

We consider an undirected weighted connected network G = {V,E,w) where 
V is the set of nodes, E is the set of edges and w : E ^ 1R+ is a positive cost 



function. Nodes represent processors and edges represent bidirectional communi- 
cation links. Additionally, we consider that G = (V, E, w) is a dynamic network 
in which the weight of the communication links and the sets of nodes and edges 
may change. We consider anonymous networks (i.e., processors have no IDs), 
with one distinguished node, called the root^. Throughout the paper, the root is 
denoted r. We denote by deg(u) the number of v's neighbors in G. The deg{v) 
edges incident to any node v are labeled from 1 to deg(w), so that a processor 
can distinguish the different edges incident to a node. 

The processors asynchronously execute their programs consisting of a set of 
variables and a finite set of rules. The variables are part of the shared register 
which is used to communicate with the neighbors. A processor can read and 
write its own registers and can only read the shared registers of its neighbors. 
Each processor executes a program consisting of a sequence of guarded rules. 
Each rule contains a guard (boolean expression over the variables of a node and 
its neighborhood) and an action (update of the node variables only). Any rule 
whose guard is true is said to be enabled. A node with one or more enabled rules 
is said to be privileged and may make a move executing the action corresponding 
to the chosen enabled rule. 

A local state of a node is the value of the local variables of the node and the 
state of its program counter. A configuration of the system G = {V, E) is the 
cross product of the local states of all nodes in the system. The transition from 
a configuration to the next one is produced by the execution of an action of at 
least one node. A computation of the system is defined as a weakly fair, maximal 
sequence of configurations, e = (co, ci, . . . Cj, . . .), where each configuration Cj+i 
follows from Ci by the execution of a single action of at least one node. During 
an execution step, one or more processors execute an action and a processor 
may take at most one action. Weak fairness of the sequence means that if any 
action in G is continuously enabled along the sequence, it is eventually chosen 
for execution. Maximality means that the sequence is either infinite, or it is finite 
and no action of G is enabled in the final global state. 

In the sequel we consider the system can start in any configuration. That 
is, the local state of a node can be corrupted. Note that we don't make any 
assumption on the bound of corrupted nodes. In the worst case all the nodes in 
the system may start in a corrupted configuration. In order to tackle these faults 
we use self-stabilization techniques. 



^ Observe that the two self-stabilizing MST algorithms mentioned in the Previous 
Work section assume that the nodes have distinct IDs with no distinguished nodes. 
Nevertheless, if the nodes have distinct IDs then it is possible to elect one node as a 
leader in a self-stabilizing manner. Conversely, if there exists one distinguished node 
in an anonymous network, then it is possible to assign distinct IDs to the nodes in a 
self-stabilizing manner [2]. Note that it is not possible to compute deterministically a 
MST in a fully anonymous network (i.e., without any distinguished node), as proved 
in [22]. 



Definition 1 (self-stabilization). Let C_a be a non-empty legitimacy predi- 
cate''^ of an algorithm A with respect to a specification predicate Spec such that 
every configuration satisfying C_a satisfies Spec. Algorithm A is self-stabilizing 
with respect to Spec iff the following two conditions hold: 

(i) Every computation of A starting from a configuration satisfying £^ preserves 
Lj( (^closurej. 

(u) Every computation of A starting from an arbitrary configuration contains a 
configuration that satisfies jC^ ('convergence^. 

We define bellow a loop-free configuration of a system as a configuration 
which contains paths with no cycle between any couple of nodes in the system. 

Definition 2 (Loop-Free Configuration). Let Cycle{u,v) be the following 
predicate defined for two nodes u, v on configuration C, with P{u, v) a path from 
u to V described by C: 

Cycle{u, v) = 3P{u, v), P{v, u) : P{u, v) n P{v, u) = 0. 

A loop-free configuration is a configuration of the system which satisfies \/u, v : 
Cycle{u,v) = false. 

We use the definition of a loop-free configuration to define a loop-free stabi- 
lizing system. 

Definition 3 (Loop-Free Stabilization). A distributed system, is called loop- 
free stabilizing if and only if it is self-stabilizing and there exists a non-empty 
set of configurations such that the following conditions hold: (i) Every execution 
starting from a loop-free configuration reaches a loop-free configuration (closure). 
( a) Every execution starting from an arbitrary configuration contains a loop- free 
configuration (convergence). 

Definition 4 (Super-stabilization [19]). A protocol P is super-stabilizing 
with respect to a class of topology change event A iff the following two condi- 
tions hold: 

(i) P is self-stabilizing and (ii) for every computation beginning at a legitimate 
configuration and containing a single topology change events of type A, a passage 
predicate holds. 

In the sequel we study the problem of constructing a spanning tree optimizing 
a desired metric in self-stabilizing manner, while guaranteeing the loop-free and 
super-stabilizing properties. 

3 Super-stabilizing Loop-Free BFS 

In this section, we describe the extension of the self-stabilizing loop-free al- 
gorithm proposed in [16] to dynamic networks. Furthermore, we disscuss the 

A legitimacy predicate is defined over the configurations of a system and is an 
indicator of its correct behavior. 



super-stabilization of new algorithm. Interestingly, our algorithm preserves the 
loop- free property without any degradation of the time complexity of the original 
solution. 

3.1 Algorithm description 

Algorithm Dynamic-LoopPree-BFS constructs a BFS tree and guarantees the 
loop- free property for dynamic networks. That is, when topological changes arise 
in the network (add or deletion of nodes or edges) the algorithm maintains a BFS 
tree without creating a cycle in the spanning tree. To this end, each node has two 
states: Neutral, noted N, and Propagate, noted P. A node in state N can safely 
select as parent its neighbor with the smallest distance (in hops) from the root 
without creating a cycle. A node in state P has an incoherent state according 
to its parent in the spanning tree. In this case, the; node; must not select a new 
parent otherwise a cycle can be created. So, this node has to inform first its 
descendants in the tree that an incoherency in the BFS tree was detected. Then, 
it corrects when all its subtrees have recovered a coherent state. Therefore, a 
node V in state P initiates a propagation of information with feedback in its 
subtree. When the propagation is finished the nodes in the subtree v (including 
v) recovers a correct distance and the state N. 

We consider a particular node r which acts as the root of the BFS tree in 
the network. Every node executes the same algorithm, except the root which 
uses only Rule RinitRoot to correct its state. In a correct state, the root r of the 
BFS tree has no parent, a zero level and the state N. Otherwise, Rule RinitRoot 
is executed by r to correct its state. 

The other five rules are executed by the other nodes of the network. 

Rule RsafeChangeP is used by a node v with the state if it detects a better 
parent, i.e., a neighbor node with a lower level than the level of its actual parent. 
In this case, v can execute this rule to update its state in order to select a new 
parent without creating a cycle in the tree. 

If a node v has the best parent in its neighborhood but an incoherent level 
according to its parent, then v executes Rule RLevei++ to change its status to P 
and to initiate a propagation of information with feedback which aims to inform 
its descendants of its new correct level. A descendant x of node v with state N 
with a parent in state P executes Rule RLevei++ to continue the propagation and 
to take into account its new level. 

When a leaf node x, descendant of v in Status P is reached, x stops the prop- 
agation by executing Rule REndPropag to change its state to N and to obtain its 
correct level. The end of propagation is pull up in the tree using Rule REndPropag- 

Rule RLeveiCorrect Corrects at node v the variable used to propagate the new 
level in the tree (variable NewLevel^) if this variable is lower than the actual 
level of V. 

Rule Roynamic dcals with the dynamism of the network. This rule is executed 
by a node v when it detects that its parent is no more in the network and it 
cannot select with Rule RsafeChangeP a new parent because of its level (otherwise 
it may create a cycle). The aim of this rule is to increase the level of node v 



using propagations of information as with Rule RLevei++ , until ?;'s level allows v 
to select a neighbor as its new parent withoiit creating a cycle. 

Figure 2 illustrates the mechanic of Rule RDynamic- In Figure 2(a) is depicted 
a part of the constructed BFS tree before the deletion of the node of level 2. 
After the deletion of this node, the node v with level 3 executes Rule Roynamic 
to increase its level (eqiial to the lowest neighbor level plus one) in order to 
recover a new parent. Figure 2(b) shows the new level of v and the new levels 
ii's descendants when the first propagation is ended. However, a level of 5 is not 
sufficient to allow v to select a new parent, so a second propagation is started 
by V which affects the levels given by Figure 2(c). Note that a descendant of v 
can leave w's subtree to obtain a better level if possible, this can be observed in 
Figure 2(c). Finally, v reaches a state with a level which allows v to execute Rule 
RsafeChangeP to Select its new parent, and w's descendants execute Rule RLevei++ 
to correct their levels according to w's level. Figure 2(d) shows the new levels 
computed by the nodes. 

Detailed level description. In the following, we describe the variables, the 
predicates and the rules used by Algorithm Dynamic-LoopFree-BFS. 

Variables: For any node v G V{G), we denote by N{v) the set of all neighbors of 
i> in G and by Vy the set of sons of v in the tree. We use the following notations: 

— p^: the parent of node v in the current spanning tree; 

— statust,: the status of node v, P when ?; is in a propagation phase, N other- 



— levels : the number of edges from v to the root r in the current spanning tree; 

— NewLevel„: the new level in the current spanning tree (used to propagate the 
new level). 



PropagEnd('f ) = (Vti e D^i.statusu — N) 

Pchange(w) = {Icvclv < level„ V (level„ = levelv A p„ ^ parent v)) Aparent„ ^ -L 
Levelup(v) = level,, '^^elp^ + 1 V (statusp^ = P h level,, ^ NewLevelp^ + 1) 



wise; 




oo otherwise 



Fig. 1. Predicates used by the algorithm. 



The root of the tree executes only the first rule, named RinitRoot; while the 
other nodes execute the five last rules. 




(a) (b) (c) (d) 



Fig. 2. Correction of the BFS tree after a node deletion. 

RinitRoot : (Root Rule) 

if = r A (p„ 7^ _L V levels 7^ V NewLevel„ 7^ V status,, ^ N) 
then p„ := ±; levels := 0; NewLevel^ := 0; status^ := N; 

RsafeChangeP : (Safe parent change Rule) 

ii v^r A status^ = A Pchange(w) 

then level„ := levels; NewLevel„ := level^; p„ := parent^, 

RLevei++ : (Increment level Rule) 

if 11 7^ r A status^ = A'" A e N{v) A -'Pchange(^^) A Levelup(i') 
then status^ := P; NewLevel„ := NewLevelp^ + 1; 

REndPropag '■ (End of propagation Rule) 

if ?; 7^ r A status^ = P A PropagEnd(«) A ubly > NewLevel^ 
then status^ := A'^; levels := NewLevel^; 

RLeveiCorrect : (Level Correction Rule) 

if 11 7^ r A NewLevel^ < levelt, then NewLevel,, := level,,; 

RDynamic '■ (Increment level Rule for dynamic networks) 

if w 7^ r A status,, = A p,, ^ A^('i;) A -'Pchange(?^) 
then status^ := P; NewLevel„ := levels, 

3.2 Correctness proof 

The algorithm proposed in the precedent subsection extends the algorithm of 
[16] to dynamic network topologies. When the system is static the correctness of 
the algorithm directly follows from the results proven in [23] . In the following, we 
focus only the case of dynamic topologies, i.e., when nodes/edges of the tree fails 
or nodes/edges are added in the network. Note that in the following, we only 
study the case of an edge failure. A node failure produces the same consequences. 



i.e., the spanning tree is splitted and some nodes have no parent. Moreover, we 
do not consider edges out of the tree because this does not lead the system in an 
illegitimate configuration. After each fail of node or edge in the tree, we assume 
the uderlying network is always connected. 

In [23] , a legitimate configuration for the algorithm is defined by the following 
predicate satisfied by every node v G V: Pt^'^ = [{v = r) A (level„ = 0) A 
(status^ = iV)]V[(w r)A(level^ = levels) A (status^ = iV)A(level^ = levelp^+1)], 
with ^ r, levels = min{level„ + 1 : u € N{v)} defines the optimal level of node 

V. 

Note that after a fail of an edge of the tree T, Predicate Pr^^ is not satisfied 
anymore. The tree T splits in a forest F which contains the subtrees of T. Let 

Orph be the set of nodes v such that ^ N{v), note that r ^ Orph. The 
following predicate is satisfied by every node v Cz V,v ^ Orph 



We show below that each node with no parent in F starts a propagation of 
information in its subtree. 

Lemma 1. Let a node v €V,v G Orph. //status^ = A'' anrf Pchange(v) = false 
then status v eventually moves to P. 

Proof. Let v E V,v <E Orph be a node such that status^ = A'^ and Pchange(w) = 
false. V can only execute Rules RLeveiCorrect or Roynamio because v can not execute 

Rules RsafeChangeP, RLevel++ and REndPropag Since StatUS^ = N, Pchange(^^) = false 

and p,, ^ N{v). To change its status from A to P, a node v £ Orph must 
execute Rule Roynamic- Suppose that v does not execute Rule Roynamic- So v can 
only execute Rule RLeveiCorrect- However, after execution of Rule RLeveiCorrect we 
have NewLevel„ := level„ and the guard of Rule RLeveiCorrect is no more satisfied. 
Thus, only the guard of Rule Roynamic is satisfied and v remains enabled until it 
performs Rule Roynamic- Therefore, the scheduler eventually selects v to perform 

Rule Roynamic- □ 

According to Lemma 9 in [23], a node v such that status^, = P eventually 
performs Rule REndPropag to change its status to A^. In the following, we show 
that a node in Orph (i.e., without a parent in its neighborhood) eventually leaves 
the set Orph. 

Lemma 2. Let v gV,v G Orph. Eventually, v is not anymore in the set Orph 
and selects a parent without creating a cycle. 

Proof. We show the lemma by induction on the height of the subtree of v. 
Consider the case where a node v G Orph has a neighbor u G N{v) such that 
level„ < levels . We assume that for every node a; in i^, a; ^ Orph, we have 
levelp^ + 1 < levelj;. So, u can not be a descendant of v. Thus, v performs Rule 
RsafeChangeP to choosc u as its parent without creating any cycle in F. Otherwise, 
every node u G N{v) is a child of v. According to Lemma 9 in [23] and Lemma 




1 (above), the level of every node in the subtree of v increases. Since we assume 
the network is always connected, there exists a leaf node x in the subtree of v 
such that levels; > levelx = levely, with y e N{x). Thus, x can execute Rule 
RsafeChangeP to choosc y as its parent and x leaves the subtree of v. Since the 
height of the subtree of v is finite, eventually v can choose a neighbor u as its 
parent because u is no more in the subtree of v. Therefore, in a finite time a 
node V e Orph leaves the set Orph by selecting a parent in its neighborhood 
without creating a cycle. □ 

According to Lemma 2, each node has a parent and no cycle is created. Thus, 
the system reaches a configuration where a spanning tree is constructed. So the 
analysis given in [23] can be used to show that the system reaches a configu- 
ration in which for each node v G V we have levels = levelt,. Since the; initial 
configuration contains a spanning tree, the algorithm stabilizes to a breadth first 
search tree and during the stabilization of the algorithm the loop-free property 
is maintained, as showed in [23]. 

Above we consider only the fail of nodes/edges of the tree, now we discuss 
the add of nodes and edges in the network. In a legitimate configuration, after 
the add of an edge every node v € V always satisfies levels > level^. According 
to Lemma 12 and Corollary 1 in [23], in a finite time eventually for every node 

V £ V we have level„ = level„. In a legitimate configuration, after the add of 
a node v Rule RsafeChangeP is executed by v to select a neighbor u e N{v) as 
its parent, there exists such a node u because we assume that the network is 
always connected. Therefore, the system is in an arbitrary configuration where a 
spanning tree is constructed. Therefore, the analysis given in [23] can be used to 
show that in a finite time for every node v G V we have levels = levelt,. Moreover, 
in the case of node/edge adds the initial configuration contains a spanning tree, 
thus the loop-free property is maintained by the algorithm. 

In the following, we prove that the presented algorithm has a superstabilizing 
property for a particular class of topology change events. We show that a passage 
predicate is satisfied during the restabilizing execution of our algorithm. We 
define the considered topology change events, noted e: 

— an add (resp. a removal) of an edge {u,v) in the network noted recov„„ 
(resp. crashji^); 

— an add (resp. a removal) of a neighbor node u of w in the network noted 
recov„ (resp. crash„). 

In the sequel, we suppose that after every topology change event the network 
remains connected. We provide below definitions of the topology change events 
class A and passage predicate. 

Definition 5 (Class A of topology change events). crash„v and crash„ 
compose the class A of topology change events. 

Definition 6 (Passage predicate). The parent of a node v can be modified if 

V is in the subtree connected by the removed edge or node, and the parent is not 
changed for any other node in the tree. 



Lemma 3. The proposed protocol is superstahilizing for the class A of topology 
change events, and the passage predicate (Definition 6) continues to he satisfied 
while a legitimate configuration is reached. 

Proof. Consider a legitimate configuration A. Suppose e is a removal of edge 
{u, v) from the network. If {u, v) is not a tree edge then the levels of u and v are 
not modified and neither u nor v changes its parent, thus no parent variable is 
modified. Otherwise, let = u, ?i's level and u's parent are not modified, it is 
true for any other node x not contained in the subtree of v since the distance 
between x and the root r in the graph is not modified (i.e., Predicate Pchange(a;) 
is not satisfied). However, u is no more a neighbor of v so according to Lemma 1 
V executes Rule Roynamic and starts a propagation phase. Moreover, according 
to Lemma 2 v selects a new parent without creating a cycle. Therefore, only a 
node in the subtree connected by the edge [v, v) may change its parent. 

Suppose £ is a removal of node u from the network. Any node x not contained 
in the subtree of u do not change its parent relation because the distance between 
X and the root node r is not modified (i.e., Predicate Pchange(2;) is not satisfied). 
Consider each edge {u,v) between u and its child v, we can apply the same 
argument described above for an edge removal. So only any node contained in 
the subtree connected by u may change its parent. □ 

3.3 Complexity analysis 

In the following we focus the complexity analysis of our algorithm in both static 
and dynamic networks. Note that the original algorithm proposed in [16] had no 
complexity analysis. Interestingly, we prove that our extension has a zero time 
extra-cost with respect to the original solution. 

Lemma 4. Starting from an arbitrary configuration, in at most O(n^) rounds 
a breadth first search tree is constructed by the algorithm in a static network. 

Proof. To construct a spanning tree, the algorithm must remove all the cycles 
present in the starting configuration. So, we first analyze the number of rounds 
needed to remove a cycle. 

To remove a cycle, a node of the cycle must change its parent to select a 
node out of the cycle, such a node is named a break node. A node can change 
its parent using Rule RsafeChangeP, but a break node executes Rule RsafeChangeP if 
the level of the new parent (out of the cycle) is lower than the level of the break 
node. Consider a break node x and the neighbor y of x which must be selected 
as the new parent of x. We note L.,, and Ly the level of x and y respectively. To 
select y as its new parent and to break the cycle, x must have its level such 
that Ly < Lx. In the cycle, a node corrects its level according to its parent by 
initiating a propagation of information with Rules RLevei++ and REndPropag- Thus 
the number of increments until we have Ly < L^ is equal to [-^--^-j^— -^1 , with 
|C| the size of the cycle C to break. The propagation of information is in order 
of the size of C. Thus, 0((Lx + 1) — Ly) rounds are needed to have Ly < L^. 



Since we want to construct a breadth first search tree the level of a node cannot 
exceed n, with n the size of the network. Thus, we consider that the level of a 
node is encoded using logn bits. The biggest value for {L^ + 1) — Ly is obtained 
when Ly = 1 and therefore we have {L^ + I) — Ly <n. 

Since the maximum number of possible cycles of a network is no more than 
n/2, obtained with cycles of size 2, we have that in O(n^) all cycles are removed 
in the network and a spanning tree is constructed. In at most 0{D) additional 
rounds a breadth first tree is constructed, with D the diameter of the network. 
Indeed, no cycle is created by the algorithm until reaching a legitimate configu- 
ration, since the algorithm guarantee the loop-free property. □ 

Lemma 5. Starting from an arbitrary configuration, in at most 0{n?) rounds 
a breadth first search tree is constructed by the algorithm in a dynamic network. 

Proof. In a dynamic network, for a node we can have the case where the edge 
leading to its parent or its parent is deleted from the network. When a node x 
detects this case, x executes Rule RDynamic to find a new parent in the network. 
To accomplish this task, x starts a propagation of information to increment its 
level since it has an incorrect level according to its parent (which is no more in 
the network). 

We have two cases for the new parent selected by x. The first case is that the 
new parent of a; is a neighbor y with level Ly bigger than a;'s level L^- In this 
must increment its level to have the condition Ly < L^. To obtain this 
condition, at most Ly — L^ increments are needed, that is at most n increments 
since we want to construct a breadth first tree and the level of a node is encoded 
using log n bits. The second case is that x selects one of its children u as its new 
parent, but to preserve the loop- free property x can do this only when u is no 
more a child of x. The worst case for x is to wait that it has no more children if u 
is its only child, that is the subtree of x has disappeared. At most n increments 
are needed to have that x has an empty subtree. 

In all cases, at most n increments are needed and the number of rounds for a 
propagation of information is in the order of the size of the subtree of x, that is 
at most n. Thus, in at most O(n^) rounds x finds a new parent in the network, 
then we can consider we are in the case of a static network and Lemma 4 can be 
applied. Therefore, in at most O(n^) rounds a legitimate configuration is reached 
by the algorithm. □ 

4 Super-stabilizing Loop-Free transformation scheme 

Our objective is to design a generic scheme for the construction of spanning 
trees considering any metric (not only metrics based on distances in the graph) 
with loop-free and super-stabilizing properties. The idea is to extend an existing 
self-stabilizing spanning tree optimized for a given metric (e.g. MST, maximum 
degree spanning tree, max-flow tree etc) with super-stabilizing and loop-free 
properties via the composition with a spanning tree construction that already 



satisfies these properties. Assume M be the predicate that captures the prop- 
erties of the metric to be optimized. Consider A the algorithm that outputs a 
self-stabihzing spanning tree and verifies A4. That is, given a graph, A computes 
the set of edges Sj\ that satisfies A4 and is a spanning tree. Consider Algorithm 
B an algorithm that outputs a super- stabilizing and loop- free spanning tree Sb- 
Ideally, if all edges in <S^ are included in Ss then there is no need for further 
transformations. However, in most of the cases the two trees are not identical. 
Therefore, the idea of our methodology is very simple. Algorithms A and B run 
such that the output of A defines the graph input for B. That is, the neighbor- 
hood relation used by B is the initial graph filtered by A to satisfy the predicate 
Ai. The principal of this composition is already known in the literature as fair 
composition [24]. In our case the "slave" protocol is protocol A that outputs the 
set of edges input for the "master" protocol B. 

The following lemma direct consequence of the results proven in [24] guar- 
anties the correctness of the composition. 

Lemma 6. Let A4 be the predicate that captures the properties of the metric 
to be optimized. Let A be an algorithm that outputs a self-stabilizing spanning 
tree that satisfies A4, S_a.- Let B be a loop-free protocol that computes a spanning 
tree on the topology defined by Sa and super- stabilizing for a class of topology 
changes A. The fair composition of A and B is a protocol that outputs a loop-free 
spanning tree that satisfies M. and is super-stabilizing for A. 

Note that our super-stabilizing loop-free BFS can be used as protocol B in 

the above composition. The interesting property of the composition is that the 
time complexity will be maximum between O(n^) and the complexity time of 
the candidate to be transformed. Note that so far, the best time complexity of a 
spanning tree optimized for a given metric is O(n^) which leads to the conclusion 
that the composition does not alterate the time complexity of the candidate. 

In the following, we specify the predicate A4 for two well known problems: 
max-flow trees and minimum degree spanning trees. 

Case study 1: Maximum- flow tree The problem of constructing a maximum- 
flow tree from a given root node r can be stated as follows. Given a weighted 
undirected graph G = {V,E,w), the goal is to construct a spanning tree T = 
(V, Et) rooted at r, such that for every node v G V the path between r and v 
has the maximum flow. Formally, let fw{v) = rava{fw{p^), w{p^, v)) the flow for 
every node v gV m. tree 7" and mfwy the maximum flow value of v among all 
spanning trees of G rooted at r. The maximum-flow tree problem is to compute 
a spanning tree T, such that \fv 6 V, fw{v) = mfwy. The max flow tree problem 
has been studied e.g. in [21]. In this case, the graph G^^^ = {Vs^,S_a) for the 
maximum-flow tree problem must satisfles the following predicate: 

M = {\Sa\ = n-l)A{V = Vs^)A{Vv G V,fw{v) = max{min(/w(w), u)) : u S N{v)}). 

Case study 2: Minimum degree spanning tree Given an undirected graph G = 
{V,E) with \V\ = n, the minimum degree spanning tree problem is to construct 



a spanning tree T ^ {V, Et), such that the maximum degree of T is minimum 
among all spanning trees of G. Formally, let deg-r(v) the degree of node v yd. 
the subgraph T and deg{T) the maximum degree of subgraph T (i.e., deg{T) = 
v[ia.yi{deg-r{v) : v G V}). The minimum spanning tree problem is to compute a 
spanning tree T, such that deg(T) = mm{deg{T') : T' is a spanning tree of G}. 
A self-stabilizing solution for the minimum degree spanning tree algorithm has 
been proposed in [25]. If this solution plays the slave master in our transformation 
scheme then the graph = {Vs_^,SX) input for the BFS algorithm satisfy 
the following predicate: 

M = {\Sa\= n-l)A{V = Vs^)Adeg{Gs^) = m.m{deg{T') : T' a spanning tree of 
5 Concluding remarks 

We presented a scheme for constructing loop-free and super-stabilizing protocol 
for universal tree metrics, without significant impact on the performance. There 
are several open questions raised by our work: 

1 . Decoupling various added properties (such as loop-freedom or super-stabilizatio 
seems desirable. As a particular network setting may not need both prop- 
erties and/or temporarily run in conditions where the network is essentially 
static, some complexity cost could be saved by removing uneeded proper- 
ties. Of course, stripping our scheme can trivially result in a generic loop- 
free transformer or to a generic super-stabilizing transformer. Yet, modular 
design of features, as well as further enhancements (such as safe conver- 
gence [26,27]), seems an interesting path for future research. 

2. The implementation of self-stabilizing protocols recently was helped by com- 
pilers that take as input guarded commands and provide as output actual 
source code for existing devices [28]. Transformers such as this one would 
typically benefit programmers' toolboxes as they ease the reasoning by keep- 
ing the source code intricacies at a very high level. Actual implementation 
of our transformer into a programmer's toolbox is a challenging ingeneering 
task. 
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